A new policy paper suggests that the current discussion about impending "cyber …

Share this story

Turn any corner in the complex metropolis that is Internet policy and you'll hear about the "cybersecurity" crisis in two nanoseconds. As a consequence, the public is treated to a regular diet of draconian fare coming from Sixty Minutes and Fresh Air about the "growing cyberwar threat."

Former National Security Adviser Richard A. Clarke suggests a thought exercise in his hit bookCyber War: imagine you are the assistant to the president for Homeland Security. The National Security Agency has just sent a critical alert to your BlackBerry: "Large scale movement of several different zero day malware programs moving on Internet in US, affecting critical infrastructure."

As you get to your HQ, one of the DoD's main networks has already crashed; computer system failures have caused huge refinery fires around the country; the Federal Aviation Administration's air traffic control center in Virginia is collapsing, and that's just the beginning.

"The Chairman of the Fed just called," the Secretary of the Treasury tells you. "Their data centers and their backups have had some sort of major disaster. They have lost all their data." Power blackouts are sweeping the country. Thousands of people have already died. "There is more going on," Clarke narrates, "but the people who should be reporting to you can't get through."

This sort of scare-the-children prose has become something close to the norm, complain George Mason University Mercatus Center researchers Jerry Brito and Tate Wakins in a new working paper about what they see as the real problem—"threat inflation."

"The rhetoric of 'cyber doom'," Brito and Watkins write, "lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well."

Our past experience

The paper's title is "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy." As that last paragraph suggests, these authors see a clear and present parallel between the cyberwar debate and the rhetoric of the Bush administration after September 11, 2001.

First, the paper notes, the White House implied that Iraq's then dictator Sadaam Hussein had something to do with the attacks on New York City and the Pentagon. Then the government convinced influential newspapers like The New York Times to favorably quote administration leaks suggesting that Iraq possessed weapons of mass destruction.

Both of these assertions were ultimately debunked, but the damage was done. As late as 2006, polls indicated that 40 percent of the US population still thought that Hussein was somehow in on 9/11.

As with that story, "there is very little verifiable evidence" to back up the cyber threats claimed now, "and the most vocal proponents of a threat engage in rhetoric that can only be characterized as alarmist," Brito and Watkins write. "Cyber threat inflation parallels what we saw in the run-up to the Iraq War."

Probed daily

The paper is particularly hard on the report of the Commission on Cybersecurity for the 44th Presidency. Launched by the Center for Strategic and International Studies, it came complete with a distinguished panel of academics, consultants, IT industry biggies, and former government officials. What it didn't come with, the Mercatus study contends, was much evidence for the dire situation it posited—that the protection of cyberspace "is a battle we are losing."

For example, the CSIS report warned that Department of Defense computers are "probed hundreds of thousands of times each day." But of course that's true, the paper notes. Probing and scanning are the norm in cyberspace, with software constantly trying the doors of websites and portals.

Then the blue ribbon document contended that "porous information systems have allowed opponents to map our vulnerabilities and plan their attacks."

Depriving Americans of electricity, communications, and financial services may not be enough to provide the margin of victory in a conflict, but it could damage our ability to respond and our will to resist. We should expect that exploiting vulnerabilities in cyber infrastructure will be part of any future conflict.

Where, the Mercatus researchers ask, was the evidence that America's opponents have "mapped vulnerabilities" and "planned attacks"? These sort of reports often imply that they're working from classified sources. But: "If our past experience with threat inflation teaches us anything, it is that we cannot accept the word of government officials with access to classified information as the sole source of evidence for the existence or scope of a threat."

Clarke and the present danger

Richard Clarke's doomsday scenarios are next on the Mercatus paper's takedown list. Clarke's book cites the distributed denial of service attacks on Estonian and Georgian websites in 2007 and 2008 as particularly ominous. Obviously these assaults were serious and consequential, Brito and Wakins agree. But how do we get from botnet-infested computers or networks to the blackout, fire, and infrastructure collapse scenarios that Cyber War posits?

We just don't, they insist, and they also take Clarke to task for citing the Brazil blackout of 2007 as another Exhibit A for future cyber eschatologies. The going thesis for a while was that the disaster was prompted by a criminal hacking. But subsequent probes of the crisis by the power company and its regulator concluded that dirt on high voltage insulators caused the outage.

Ditto for the Northeast power blackout of 2003, suspected of being part of a worm-based cyberattack, found to be no such thing in a subsequent investigation.

It's pretty obvious that these researchers deplore Clarke's book, especially speculations that the Russians "are probably saving their best cyber weapons for when they really need them, in a conflict in which NATO and the United States are involved."

This sort of prose is "eerily reminiscent of the suggestion before the invasion of Iraq that although we lacked the type of evidence of WMD that might lead us to action, we would not want 'the smoking gun to be a mushroom cloud'," Brito and Watkins write.

Cyber pork

The Mercatus authors see very little good in this rhetoric, and many bad outcomes. They see unjustified regulation of the Internet as one possibility, and as Ars readers know, Congress has considered a bill that at one point would have given the president the authority to shut the 'Net down in the event of a cyberattack.

They also see corporations ratcheting up the volume on the issue to bring in defense contracting dollars, and politicians joining the panic party to deliver federal money to their districts. But ultimately what they see is a scare mongering discourse that will make it impossible to realistically assess the cybersecurity situation.

"Let us be very clear," their essay acknowledges: "although we are skeptical of the scope of the threat as presented by the proponents of regulation, we do not doubt that cyber threats do exist, nor would we suggest that regulation can never be appropriate. What we do propose is that before we rush to regulate cyberspace we should first demand verifiable evidence of the threat and its scope and, second, we should use any such evidence to conduct a proper analysis to determine whether regulation is necessary and if it will do more good than harm."

Share this story

Matthew Lasar
Matt writes for Ars Technica about media/technology history, intellectual property, the FCC, or the Internet in general. He teaches United States history and politics at the University of California at Santa Cruz. Emailmatthew.lasar@arstechnica.com//Twitter@matthewlasar